// https://syzkaller.appspot.com/bug?id=1f7228efc2b6b0e223cadc376c5935a7fb82ab9f
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void sleep_ms(uint64_t ms)
{
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

static void kill_and_wait(int pid, int* status)
{
  kill(-pid, SIGKILL);
  kill(pid, SIGKILL);
  for (int i = 0; i < 100; i++) {
    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
      return;
    usleep(1000);
  }
  DIR* dir = opendir("/sys/fs/fuse/connections");
  if (dir) {
    for (;;) {
      struct dirent* ent = readdir(dir);
      if (!ent)
        break;
      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
        continue;
      char abort[300];
      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
               ent->d_name);
      int fd = open(abort, O_WRONLY);
      if (fd == -1) {
        continue;
      }
      if (write(fd, abort, 1) < 0) {
      }
      close(fd);
    }
    closedir(dir);
  } else {
  }
  while (waitpid(-1, status, __WALL) != pid) {
  }
}

static void setup_test()
{
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)
{
  int iter = 0;
  for (;; iter++) {
    int pid = fork();
    if (pid < 0)
      exit(1);
    if (pid == 0) {
      setup_test();
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      sleep_ms(10);
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
        break;
      if (current_time_ms() - start < 5000)
        continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[1] = {0xffffffffffffffff};

void execute_one(void)
{
  intptr_t res = 0;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  //  openat$sequencer arguments: [
  //    fd: const = 0xffffffffffffff9c (8 bytes)
  //    file: nil
  //    flags: open_flags = 0x8002 (4 bytes)
  //    mode: const = 0x0 (2 bytes)
  //  ]
  //  returns fd_seq
  res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0ul,
                /*flags=O_LARGEFILE|O_RDWR*/ 0x8002, /*mode=*/0);
  if (res != -1)
    r[0] = res;
  //  prctl$PR_SCHED_CORE arguments: [
  //    option: const = 0x3e (8 bytes)
  //    cmd: intptr = 0x1 (8 bytes)
  //    pid: pid (resource)
  //    type: pid_type = 0x2 (8 bytes)
  //    uaddr: nil
  //  ]
  syscall(__NR_prctl, /*option=*/0x3eul, /*cmd=*/1ul, /*pid=*/0,
          /*type=PIDTYPE_PGID*/ 2ul, /*uaddr=*/0ul);
  //  write$P9_RSTATu arguments: [
  //    fd: wfd9p (resource)
  //    data: ptr[in, p9_msg[P9_RSTAT, p9_rstatu]] {
  //      p9_msg[P9_RSTAT, p9_rstatu] {
  //        size: bytesize = 0x237 (4 bytes)
  //        type: const = 0x7d (1 bytes)
  //        tag: int16 = 0x2 (2 bytes)
  //        payload: p9_rstatu {
  //          rstat: p9_rstat {
  //            ignored: const = 0x500 (2 bytes)
  //            size: bytesize = 0xf6 (2 bytes)
  //            type: int16 = 0x0 (2 bytes)
  //            dev: int32 = 0x4fffffd (4 bytes)
  //            qid: p9_qid {
  //              type: p9_qid_types = 0x0 (1 bytes)
  //              version: int32 = 0xffffffff (4 bytes)
  //              path: int64 = 0x8 (8 bytes)
  //            }
  //            mode: p9_perm_t = 0x41400000 (4 bytes)
  //            atime: int32 = 0x0 (4 bytes)
  //            mtime: int32 = 0xe5e0 (4 bytes)
  //            length: int64 = 0x5 (8 bytes)
  //            name_len: len = 0x1b (2 bytes)
  //            name: buffer: {04 6e 6f 64 65 76 7b 65 76 6f 6f 7e 05 45 c6 00
  //            05 08 00 37 d9 3a 8b 92 00 00 00} (length 0x1b) uid_len: len =
  //            0x33 (2 bytes) uid: buffer: {70 4a 86 ce c6 02 00 7d fa 67 3e ff
  //            eb 09 b5 35 1f 5b de 05 40 00 00 00 00 18 7b 82 00 b5 00 00 2b
  //            59 5f cb 14 03 f1 96 a5 1c d5 15 7a dc 81 03 b4 94 e1} (length
  //            0x33) gid_len: len = 0x37 (2 bytes) gid: buffer: {cf c3 6d 07 c5
  //            00 f0 4c d8 5f 2a 70 f5 e9 93 0e 5e 98 9c d5 ef 4d 51 f6 0d a7
  //            58 2c 4a 05 c8 f8 28 f6 8d c1 77 4d 5d e2 e8 20 86 23 81 f6 68
  //            6d d1 bb 8f d7 00 00 00} (length 0x37) muid_len: len = 0x3e (2
  //            bytes) muid: buffer: {f8 f6 69 fb 71 6d cf 31 5e ca f3 85 40 9a
  //            c6 5b 94 08 67 8c 3c 3b 9e 1d 52 c3 6c de 7b a4 a4 00 b4 b0 77
  //            dc 74 00 00 00 00 00 00 00 00 07 ec 21 ca bf f2 0f 9c 00 89 f9
  //            06 00 00 00 00 00} (length 0x3e)
  //          }
  //          extension_len: len = 0x12c (2 bytes)
  //          extension: buffer: {6f 64 65 76 2f 6e b1 7b 23 00 f9 da a5 ee 23
  //          26 6e cf 85 fe a6 5e 42 d9 79 a3 fd e5 f4 75 da f0 3b 13 72 d9 7b
  //          ad c7 09 5a fd 76 fe 4f 04 41 f7 f7 74 1e ac 03 00 00 ec ff 00 00
  //          db a0 c2 f7 f0 9f f5 3c 7e 4d 1a d6 6e 2d 07 01 98 01 9f 30 11 84
  //          47 aa 9a 74 f5 16 85 f5 06 ae 89 48 06 87 82 67 d5 a1 29 8d 79 2c
  //          4a 37 f2 e1 cb bd 24 82 92 9a 0d 89 72 b5 cf 73 2e a5 b0 d7 23 85
  //          9d ba 3f 93 ae d3 b4 2e e7 ca c0 7d e0 9d 1d 68 a6 03 33 a8 82 46
  //          7d 2b 31 aa cd f9 18 85 49 b1 12 5d 6c 4c 9b 18 c2 fb 56 c5 7d 7d
  //          c6 26 e4 39 07 96 a1 eb 48 27 46 69 ab 13 f8 b1 1d 14 60 59 f3 10
  //          e2 63 4d 59 3f ec 65 d5 29 f3 82 06 66 64 df 24 4e 4c 90 57 0a 70
  //          04 9f 39 9f 06 1f 75 b7 79 7c e1 fe 11 ea 91 96 09 d5 1a 41 dd 3d
  //          e3 04 bd 7c 7e d0 a4 56 f0 ae 12 51 61 05 c9 ce 88 7d f5 a6 e0 b6
  //          a7 7d 59 6c f8 8b a6 e5 c6 39 7c 7d 50 21 d7 98 95 28 fd 17 39 e1
  //          c2 d8 7f ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00}
  //          (length 0x12c) n_uid: uid (resource) n_gid: gid (resource) n_muid:
  //          uid (resource)
  //        }
  //      }
  //    }
  //    size: bytesize = 0x237 (8 bytes)
  //  ]
  *(uint32_t*)0x200000000580 = 0x237;
  *(uint8_t*)0x200000000584 = 0x7d;
  *(uint16_t*)0x200000000585 = 2;
  *(uint16_t*)0x200000000587 = 0x500;
  *(uint16_t*)0x200000000589 = 0xf6;
  *(uint16_t*)0x20000000058b = 0;
  *(uint32_t*)0x20000000058d = 0x4fffffd;
  *(uint8_t*)0x200000000591 = 0;
  *(uint32_t*)0x200000000592 = -1;
  *(uint64_t*)0x200000000596 = 8;
  *(uint32_t*)0x20000000059e = 0x41400000;
  *(uint32_t*)0x2000000005a2 = 0;
  *(uint32_t*)0x2000000005a6 = 0xe5e0;
  *(uint64_t*)0x2000000005aa = 5;
  *(uint16_t*)0x2000000005b2 = 0x1b;
  memcpy((void*)0x2000000005b4,
         "\004nodev{evoo~\005E\306\000\005\b\0007\331:\213\222\000\000\000",
         27);
  *(uint16_t*)0x2000000005cf = 0x33;
  memcpy((void*)0x2000000005d1,
         "pJ\206\316\306\002\000}\372g>\377\353\t\2655\037[\336\005@"
         "\000\000\000\000\030{\202\000\265\000\000+Y_"
         "\313\024\003\361\226\245\034\325\025z\334\201\003\264\224\341",
         51);
  *(uint16_t*)0x200000000604 = 0x37;
  memcpy((void*)0x200000000606,
         "\317\303m\a\305\000\360L\330_*p\365\351\223\016^"
         "\230\234\325\357MQ\366\r\247X,J\005\310\370(\366\215\301wM]\342\350 "
         "\206#\201\366hm\321\273\217\327\000\000\000",
         55);
  *(uint16_t*)0x20000000063d = 0x3e;
  memcpy((void*)0x20000000063f,
         "\370\366i\373qm\3171^\312\363\205@\232\306[\224\bg\214<;"
         "\236\035R\303l\336{"
         "\244\244\000\264\260w\334t\000\000\000\000\000\000\000\000\a\354!"
         "\312\277\362\017\234\000\211\371\006\000\000\000\000\000",
         62);
  *(uint16_t*)0x20000000067d = 0x12c;
  memcpy((void*)0x20000000067f,
         "odev/"
         "n\261{#\000\371\332\245\356#&n\317\205\376\246^"
         "B\331y\243\375\345\364u\332\360;\023r\331{"
         "\255\307\tZ\375v\376O\004A\367\367t\036\254\003\000\000\354\377\000"
         "\000\333\240\302\367\360\237\365<~M\032\326n-"
         "\a\001\230\001\2370\021\204G\252\232t\365\026\205\365\006\256\211H"
         "\006\207\202g\325\241)\215y,J7\362\341\313\275$"
         "\202\222\232\r\211r\265\317s.\245\260\327#\205\235\272?"
         "\223\256\323\264.\347\312\300}\340\235\035h\246\0033\250\202F}+"
         "1\252\315\371\030\205I\261\022]lL\233\030\302\373V\305}}\306&"
         "\3449\a\226\241\353H\'Fi\253\023\370\261\035\024`Y\363\020\342cMY?"
         "\354e\325)\363\202\006fd\337$NL\220W\np\004\2379\237\006\037u\267y|"
         "\341\376\021\352\221\226\t\325\032A\335=\343\004\275|~"
         "\320\244V\360\256\022Qa\005\311\316\210}\365\246\340\266\247}"
         "Yl\370\213\246\345\3069|}P!\327\230\225("
         "\375\0279\341\302\330\177\377\000\000\000\000\000\000\000\000\000\000"
         "\000\000\000\000\000\000\000",
         300);
  *(uint32_t*)0x2000000007ab = 0;
  *(uint32_t*)0x2000000007af = 0;
  *(uint32_t*)0x2000000007b3 = 0;
  syscall(__NR_write, /*fd=*/r[0], /*data=*/0x200000000580ul, /*size=*/0x237ul);
}
int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  const char* reason;
  (void)reason;
  loop();
  return 0;
}